Citibank ATM PINs May Have Been Stolen
Is your ATM PIN number safe inside your bank? Citibank customers may have a reason to be concerned. According to this widely published news story, hackers appear to have accessed not only ATM card numbers, but frightenly, they also got PIN numbers. Here's the story as published ny Kevin Poulsen:on Wired Magazines' website:
A computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to federal prosecutors.
The ATM crime spree is apparently the first to be publicly linked to the breach of a major U.S. bank's systems, experts say.
"We've never heard of PINs coming out of the bank environment," says Dan Clements, CEO of the fraud watchdog company CardCops, who monitors crime forums for stolen information.
Credit card and ATM PIN numbers show up often enough in underground trading, but they're invariably linked to social engineering tricks like phishing attacks, "shoulder surfing" and fake PIN pads affixed to gas station pay-at-the-pump terminals.
But if federal prosecutors are correct, the Citibank intrusion is an indication that even savvy consumers who guard their ATM cards and PIN codes can fall prey to the growing global cyber-crime trade.
"That's really the gold, the debit cards and the PINs," says Clements.
Citibank denied to Wired.com's Threat Level that its systems were hacked. But the bank's representatives warned the FBI on February 1 that "a Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached," according to a sworn affidavit (.pdf) by FBI cyber-crime agent Albert Murray.
Federal prosecutors in New York have charged 32-year-old Ukrainian immigrant Yuriy Ryabinin, aka Yuriy Rakushchynets, with access device fraud for allegedly using the stolen information to go on a cash-withdrawal spree. Ryabinin, who is allegedly an active member of underground credit card fraud forums, is not charged with the intrusion itself. He and a co-defendant "received over the internet information related to Citibank customers, which information had previously been stolen from Citibank," according to an indictment (.pdf) in the case.
Also charged is 30-year-old Ivan Biltse, who allegedly made some of the withdrawals, and Angelina Kitaeva. Ryabinin's wife is charged with obstruction of justice in the investigation.
In addition to looting Citibank accounts, Ryabinin is accused of participating in a global cyber crime feeding frenzy that tore into four specific iWire prepaid MasterCard accounts last fall. From September 30 to October 1 -- just two days -- the iWire accounts were hit with more than 9,000 actual and attempted withdrawals from ATM machines "around the world," according to Murray's affidavit, resulting in a staggering $5 million in losses.
Ryabinin was allegedly responsible for more than $100,000 of the stolen iWire cash, which he pulled from Brooklyn ATMs. St. Louis-based First Bank, which issued the cards, declined to comment on the matter, citing the ongoing prosecution.
For more information about what to do if you think you may be the victim of identity theft or account fraud visit SecurePCNews where you can find specific information about dealing with Identity Theft.
At the time of the ATM capers, FBI and U.S. Secret Service agents had already been investigating Ryabinin for his alleged activities on eastern European carder forums.
Ryabinin allegedly used the same ICQ chat account to conduct criminal business, and to participate in amateur radio websites. The feds compared photos of Ryabinin from some of the ham sites to video captured by ATM cameras in the New York Citibank and iWire withdrawals, and determined it was the same man -- right down to the tan jacket with dark-blue trim.
When they raided Ryabinin's home, agents found his computer logged into a carding forum. They also found a magstripe writer, and $800,000 in cash, including $690,000 in garbage bags, shopping bags and boxes stashed in the bedroom closet. Another $99,000 in cash turned up in one of the safe deposit boxes rented by Ryabinin and his wife, Olena. Biltse was also found with $800,000 in cash.
Ryabinin's wife told investigators that she witnessed her husband "leave the couple's house with bundles of credit cards in rubber bands and return with large sums of cash," a Secret Service affidavit (.pdf) reads. You can view the full story at Wired.com
Don't get scammed!
Subscribe to the SecurePCNews Newsletter to get information like this delivered to your email inbox as well as timely important tips on protecting yourself online.
A computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to federal prosecutors.
The ATM crime spree is apparently the first to be publicly linked to the breach of a major U.S. bank's systems, experts say.
"We've never heard of PINs coming out of the bank environment," says Dan Clements, CEO of the fraud watchdog company CardCops, who monitors crime forums for stolen information.
Credit card and ATM PIN numbers show up often enough in underground trading, but they're invariably linked to social engineering tricks like phishing attacks, "shoulder surfing" and fake PIN pads affixed to gas station pay-at-the-pump terminals.
But if federal prosecutors are correct, the Citibank intrusion is an indication that even savvy consumers who guard their ATM cards and PIN codes can fall prey to the growing global cyber-crime trade.
"That's really the gold, the debit cards and the PINs," says Clements.
Citibank denied to Wired.com's Threat Level that its systems were hacked. But the bank's representatives warned the FBI on February 1 that "a Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached," according to a sworn affidavit (.pdf) by FBI cyber-crime agent Albert Murray.
Federal prosecutors in New York have charged 32-year-old Ukrainian immigrant Yuriy Ryabinin, aka Yuriy Rakushchynets, with access device fraud for allegedly using the stolen information to go on a cash-withdrawal spree. Ryabinin, who is allegedly an active member of underground credit card fraud forums, is not charged with the intrusion itself. He and a co-defendant "received over the internet information related to Citibank customers, which information had previously been stolen from Citibank," according to an indictment (.pdf) in the case.
Also charged is 30-year-old Ivan Biltse, who allegedly made some of the withdrawals, and Angelina Kitaeva. Ryabinin's wife is charged with obstruction of justice in the investigation.
In addition to looting Citibank accounts, Ryabinin is accused of participating in a global cyber crime feeding frenzy that tore into four specific iWire prepaid MasterCard accounts last fall. From September 30 to October 1 -- just two days -- the iWire accounts were hit with more than 9,000 actual and attempted withdrawals from ATM machines "around the world," according to Murray's affidavit, resulting in a staggering $5 million in losses.
Ryabinin was allegedly responsible for more than $100,000 of the stolen iWire cash, which he pulled from Brooklyn ATMs. St. Louis-based First Bank, which issued the cards, declined to comment on the matter, citing the ongoing prosecution.
For more information about what to do if you think you may be the victim of identity theft or account fraud visit SecurePCNews where you can find specific information about dealing with Identity Theft.
At the time of the ATM capers, FBI and U.S. Secret Service agents had already been investigating Ryabinin for his alleged activities on eastern European carder forums.
Ryabinin allegedly used the same ICQ chat account to conduct criminal business, and to participate in amateur radio websites. The feds compared photos of Ryabinin from some of the ham sites to video captured by ATM cameras in the New York Citibank and iWire withdrawals, and determined it was the same man -- right down to the tan jacket with dark-blue trim.
When they raided Ryabinin's home, agents found his computer logged into a carding forum. They also found a magstripe writer, and $800,000 in cash, including $690,000 in garbage bags, shopping bags and boxes stashed in the bedroom closet. Another $99,000 in cash turned up in one of the safe deposit boxes rented by Ryabinin and his wife, Olena. Biltse was also found with $800,000 in cash.
Ryabinin's wife told investigators that she witnessed her husband "leave the couple's house with bundles of credit cards in rubber bands and return with large sums of cash," a Secret Service affidavit (.pdf) reads. You can view the full story at Wired.com
Don't get scammed!
Subscribe to the SecurePCNews Newsletter to get information like this delivered to your email inbox as well as timely important tips on protecting yourself online.
Labels: ATM PIN, bank breach, citibank, fbi, hack
posted by Aubrey Jones @ Thursday, June 26, 2008
35 Comments
Links to this post
